Authentication collaboration system, ID provider device, and program

ABSTRACT

A policy storage unit of an ID provider device according to an embodiment stores, for each service provider ID, policy information representing a user to which transmission of service data is permitted and policy information representing a user of a target in which transmission permission of service data is deleted. When a predetermined cycle comes or when a use status of the service provider device changes, the ID provider device acquires use status information of the service provider device transmitted from the service provider device, and updates a service use status storage unit based on the acquired use status information. When the service use status storage unit is updated, the ID provider device decides a deletion target account of each service provider ID.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of PCT International Application No.PCT/JP2012/005934, filed Sep. 18, 2012 and which claims the benefit ofpriority from Japanese Patent Application No. 2012-033391, filed Feb.17, 2012, the entire contents of both which are incorporated herein byreference.

FIELD

Embodiments of the present invention relate to an authenticationcollaboration system, an ID provider device, and a program.

BACKGROUND

As the dependence of society, economy, and living on an on-line serviceincreases, the importance of identity management of managing informationrelated to an individual or an organization is recently increasing. Theidentity management refers to a technique of increasing security andconvenience of information related to an individual or an organizationin various services or systems and managing an overall life cycle of anidentity from registration to change and deletion.

Here, the identity is the totality of information specifying anindividual, a group, an organization, or a company in a certainsituation, and includes an identifier, a credential, and an attribute.The identifier is information identifying an identity, and correspondsto an account (a user ID), an employee number, or the like. Thecredential is information representing validity of certain informationcontent, and includes a password or the like. The attribute isinformation characterizing an identity, and represents a name, anaddress, a date of birth, and the like.

As a representative example of a technique using an identity managementtechnique, there is a single sign-on (hereinafter, referred to as an“SSO”). The SSO is a technique by which a plurality of applications orservices can be used by a single authentication procedure.

There is a single sign-on as a technique of performing authenticationcollaboration capable of using a plurality of applications or servicesby a single authentication procedure. In the SSO, there are many casesin which authentications included in a plurality of applications areintegrated in a single domain such as the Intranet of one company.

In addition, in recent years, the SSO is required between differentdomains (hereinafter, referred to as “cross domain”). The reasons mayinclude an increase in corporate marriage or merge, overseasdevelopment, and the like, and an outsourcing by software as a service(SaaS) of raised cloud computing or the like.

However, in implementing the cross domain SSO, there is a problem inthat a great deal of time and effort are required to share anauthentication result. The main problems are the following two points.

A first problem lies in that since a use of an HTTP cookie is limited toa single domain, it is difficult to share an authentication resultbetween domains using an HTTP cookie. A second problem lies in thatsince an SSO scheme of an access management product employed by eachdomain differs according to a vender, it is difficult to simplyintroduce, and it is necessary to prepare a separate measure.

In order to solve the above problems, there is a demand forstandardization of an SSO among venders. As one of representativestandard techniques to comply with a request, there is a securityassertion markup language (SAML) made by an organization for theadvancement of structured information standards (OASIS) which is anon-profitable organization.

The SAML is a specification that defines an expression form ofinformation related to an authentication, an authorization, and anattribute and transmission and reception procedures, and issystematically specified so that an implementation can be made invarious forms according to the purpose. Main entities include three ofan identity provider (hereinafter, referred to as an “IDP” or “IDprovider”), a service provider (hereinafter, referred to as an “SP” or“service provider”), and a user, and the SSO is implemented such thatthe service provider trusts in an authentication result issued by the IDprovider.

When the SSO starts based on the SAML, it is generally necessary toprepare the following two points in advance. Firstly, a relation oftrust needs to be constructed through information exchange or anagreement in a business or a technology between the service provider andthe ID provider. Secondly, each user has an individual account for eachservice provider, and thus the individual SP account needs tocollaborate with an account of the ID provider in advance (hereinafter,referred to as “account collaboration”). After advance preparation suchas construction of the relation of trust and prior account collaborationis finished, the SSO can be performed.

After the advance preparation, the SSO is implemented by the followingprocedures (1) to (6). Here, an SSO procedure of a serviceprovider-originated model using a user terminal will be described. Inthis procedure, basically, the process is performed in the ascendingorder unless otherwise set forth in.

(1) The user requests the service provider to provide a service.

(2) The service provider transmits an authentication request to the IDprovider through a user side terminal since the user is notauthenticated yet.

(3) The ID provider performs authentication on the user by a certainprocedure, and generates an authentication assertion. The SAML does notspecify an authentication means, and specifies only a system in whichthe authentication assertion is transmitted to the service provider. Theauthentication assertion includes information representing a way ofgenerating the type of authentication means or a credential since theservice provider determines whether or not the service provider cantrust in an authentication result.

(4) The ID provider transmits the authentication result including thegenerated authentication assertion to the service provider through theuser terminal.

(5) The service provider decides whether or not a service is to beprovided based on the authentication result of the ID provider.

(6) The user is provided with a service from the service provider.

As described above, in the SSO based on the SAML, as the ID providerperforms a single authentication procedure, the user can use a pluralityof services without an additional authentication procedure. Currently,many venders are providing an access management product having IDP andSP functions of the SAML or a SaaS service having an SP function of theSAML.

However, the SSO based on the SAML is mere a part such as “use” ofidentity in an overall life cycle of an identity. As described above,when the SSO starts, it is necessary to perform account collaboration,and in order to perform account collaboration, a technique ofcomprehensively collaborating management such as registration, change,deletion, reissue, and temporary suspension of an identity between theservice provider and the ID provider is required.

As a technique for automating registration, change, deletion, reissue,and temporary suspension of an identity, there is account provisioning,and as a standard technique thereof, there is a service provisioningmarkup language (SPML).

Meanwhile, there has been known a data processing system that activelyexecutes account collaboration as a part of the SSO in a state in whichthe advance preparation of the account collaboration is not finished.Typically, when the SSO starts in a state in which the user's account isnot registered to the service provider side, that is, in a state inwhich account collaboration is not performed, an error occurs.

However, according to this data processing system, the accountcollaboration can be actively executed as a part of the SSO even in theabove-described state. Specifically, after the service provider receivesa service request from the user, the service provider checks thatinformation sufficient to register the user's account is not held. Afterchecking, the service provider requests the ID provider to provide auser attribute, and the ID provider provides the service provider with adesired user attribute. As a result, the data processing system executesaccount registration and collaboration in the process of the SSO.

The above-described data processing system can request and provide theuser attribute necessary for the individual user's account registrationthrough a lightweight process, and has no problem in that a largequantity of preliminary process on many users is unnecessary.

However, according to the study of the present inventor(s), thefollowing can be further improved.

Typically, when a company uses a service provided by the serviceprovider, an information system (IS) section that controls aninformation system of a company in general performs account registrationand collaboration on the service provider.

The IS section collectively performs account registration andcollaboration on the user after a large quantity of preliminary processaccording to many users belonging to a company or after a procedurebased on a series of authorization flow is performed at an arbitrarytiming by the user.

Here, when the preliminary process of the former is performed, sinceaccount registration and collaboration need not to be executed in theprocess of the SSO, it is not related to the above-described dataprocessing system.

Meanwhile, when the authorization flow of the latter is performed, agreat deal of time and effort are required since a lot of manpower isnecessary such as seniors, a procurement section, and an IS section ofan organizational hierarchy to which the user belongs as well as theuser. In addition, since the IS section does not collectively performthe preliminary process, a manual work is necessary, and a burden isgreat, and thus efficiency or convenience is bad. For example, it isdifficult to have an advantage that it can be quickly used in the SaaSor the like.

Thus, in a system in which account registration and collaboration areexecuted in the process of the SSO, it is desirable to include aseamless system capable of deciding whether or not a service can be usedwithout involving a manual operation.

In light of the foregoing, the present invention is directed toproviding an authentication collaboration system, an ID provider device,and a program, which are low in the user's burden and capable ofdeciding whether or not a service can be used without involving a manualoperation when account registration and collaboration are executed inthe process of the SSO.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating an example of a hardwareconfiguration of an authentication collaboration system according to anembodiment.

FIG. 2 is a schematic diagram for describing an IDP user repositoryaccording to an embodiment.

FIG. 3 is a schematic diagram for describing an IDP service use statusstore according to an embodiment.

FIG. 4 is a schematic diagram for describing an authenticationcollaboration policy store according to an embodiment.

FIG. 5 is a schematic diagram for describing an SP user setting rulestore according to an embodiment.

FIG. 6 is a schematic diagram for describing a deletion target decisionpolicy store according to an embodiment.

FIG. 7 is a schematic diagram for describing a deletion target accountstore according to an embodiment.

FIG. 8 is a schematic diagram for describing an authentication assertionaccording to an embodiment.

FIG. 9 is a schematic diagram for describing an SP user repositoryaccording to an embodiment.

FIG. 10 is a schematic diagram for describing a service data storeaccording to an embodiment.

FIG. 11 is a schematic diagram for describing an SP service use statusstore according to an embodiment.

FIG. 12 is a schematic diagram for describing a verification policystore according to an embodiment.

FIG. 13 is a schematic diagram illustrating an outline of an overalloperation according to an embodiment.

FIG. 14 is a sequence diagram illustrating the flow of a use statusacquisition process according to an embodiment.

FIG. 15 is a block diagram illustrating an example of componentsnecessary for a use status acquisition process according to anembodiment.

FIG. 16 is a sequence diagram illustrating the flow of a userauthentication process according to an embodiment.

FIG. 17 is a block diagram illustrating an example of componentsnecessary for a user authentication process according to an embodiment.

FIG. 18 is a sequence diagram illustrating the flow of an authenticationcollaboration policy evaluation process according to an embodiment.

FIG. 19 is a block diagram illustrating an example of componentsnecessary for an authentication collaboration policy evaluation processaccording to an embodiment.

FIG. 20 is a sequence diagram illustrating the flow of an accountcollaboration process according to an embodiment.

FIG. 21 is a block diagram illustrating an example of componentsnecessary for an account collaboration process according to anembodiment.

FIG. 22 is a sequence diagram illustrating the flow of an authenticationcollaboration process according to an embodiment.

FIG. 23 is a block diagram illustrating an example of componentsnecessary for an authentication collaboration process according to anembodiment.

DETAILED DESCRIPTION

A policy storage unit of an ID provider device according to anembodiment stores policy information representing a user to whichtransmission of service data is permitted and policy informationrepresenting a user of a target in which transmission permission ofservice data is deleted. When a predetermined cycle comes or when a usestatus of the service provider device changes, the ID provider deviceacquires use status of the service provider device transmitted from theservice provider device, and updates a service use status storage unitbased on the acquired use status. When the service use status storageunit is updated, the ID provider device decides a deletion targetaccount of each service provider ID.

(First Embodiment)

Hereinafter, an authentication collaboration system according to thepresent embodiment will be described with reference to FIGS. 1 to 23.

FIG. 1 is a block diagram illustrating a basic configuration of anauthentication collaboration system according to the present embodiment.The authentication collaboration system includes an ID provider device200 capable of executing a log-in process on a user terminal 100operated by the user and a service provider device 300 capable oftransmitting service data to the user terminal 100 when the log-inprocess is successfully performed. As each of the ID provider device 200and the service provider device 300, a plurality of devices may beprovided, but only one device is here illustrated. The user terminal100, the ID provider device 200, and the service provider device 300 maybe connected to one another via a network.

The user terminal 100 is a device that has a typical computer function,and can communicate with the ID provider device 200 and the serviceprovider device 300. The user terminal 100 includes a function oftransmitting a service request for requesting a use of the serviceprovider device 300 to the service provider device 300 in response tothe user's operation, a function of executing the log-in process betweenthe user terminal 100 and the ID provider device 200, a function ofreceiving service data from the service provider device 300, a functionof reproducing the received service data as a central processing unit(CPU) executes a service use application program stored in a memory inadvance, and a user interface function.

The ID provider device 200 functions to manage the user's identity, andincludes an IDP user repository 201, an IDP service use status store202, an authentication collaboration policy store 203, an SP usersetting rule store 204, a key storage unit 205, a deletion targetdecision policy store 206, a deletion target account store 207, an IDPauthentication collaborating unit 208, an authentication collaborationhandling unit 209, an authentication collaboration policy evaluatingunit 210, an IDP account provisioning unit 211, a service use statusmanaging unit 212, and a trigger 213.

The IDP user repository 201 stores identity information (hereinafter,referred to as “user attribute information”) related to the user of anorganization in which the ID provider device 200 is arranged.Specifically, the IDP user repository (a user attribute informationstorage unit) 201 stores user attribute information 201 a in which anitem name of a user attribute specifying the user is associated with anitem value of the user attribute as illustrated in FIG. 2, that is,stores a plurality of user attribute information 201 a in which a userID identifying the user, a password referred to when the user performsthe log-in process, a user name, the user's affiliation, the user'sappointment, address information of the user terminal, an authenticationcollaboration ID, and the like are included as item names. Theauthentication collaboration ID is an ID shared between the serviceprovider device 300 and the subject device 200, and issued in an accountcollaboration process (which will be described later) in the presentembodiment. Further, when the authentication collaboration with theservice provider is not performed, the authentication collaboration IDis empty.

The user attribute information 201 a is collection of informationcharacterizing personal information. The user attribute information 201a is not limited to the above example, and for example, may furtherinclude an arbitrary item name and item value such as a phone number ora working state. For example, the password referred to when the userperforms the log-in process may be biometric authentication informationsuch as the user's fingerprint.

The IDP service use status store (a first service use status storageunit) 202 is referred to by the authentication collaboration policyevaluating unit 210, and stores service use status information 202 a foreach user. The service use status information 202 a is a use status of aservice provided by each service provider device 300 for each user ID.

In other words, the IDP service use status store 202 stores a serviceuse status of each user at the ID provider device 200 side. Asillustrated in FIG. 3, the IDP service use status store 202 stores auser use management table 202 aA and an in-use number management table202 aB as the service use status information 202 a. The user usemanagement table 202 aA stores a “user ID,” “service provider IDs”(SP(1) to SP(N)) identifying each service provider device 300, and a“service use status” of each service provider ID in association with oneanother.

Examples of the service use status include “service in use” representingthat transmission of service data is permitted, “service unused”representing that transmission of service data is not permitted,“service use suspension” representing temporary suspension oftransmission permission of service data based on a temporary suspensionrequest received from the user terminal 100, and “service use end” basedon a use end request received from the user terminal 100. Further, whena current in-use number is larger than an upper limit value, the serviceuse end includes a case in which the ID provider device 200 hasinvalidated a use of an idle user. Further, the service use status isstored in association with a last use date and time which is a last dateand time (a last log-in date and time) at which the user used theservice and a disk use amount.

For example, in the service use status in which the user ID of FIG. 3 is“USER_A,” SP(1) is the service unused status, SP(2) is the service inuse status, and SP(N) is the service unused status. Further, in SP(2),the last use date and time is 2011 Feb. 10, and the disk use amount is 4GB.

The in-use number management table 202 aB writes an in-use numberrepresenting the number of in-use services represented by the serviceuse status in the user use management table 202 aA and an upper limitvalue of the in-use number which is set in advance for each serviceprovider ID in association with each other as illustrated in FIG. 3.

The authentication collaboration policy store (an authenticationcollaboration policy storage unit) 203 is referred to by theauthentication collaboration policy evaluating unit 210, and stores anauthentication collaboration policy. Specifically, the authenticationcollaboration policy store 203 stores a plurality of authenticationcollaboration policies (authentication collaboration policy information)203 a (203 aA, 203 aB, 203 aC, and the like) representing the user'saffiliation and appointment in which transmission of service data by theservice provider device 300 identified by the service provider ID ispermitted for each service provider ID as illustrated in FIG. 4.

The authentication collaboration policy 203 a may further include anactive policy (for example, [4] of C in FIG. 4) such as the number ofin-use services and a total of pay-as-you-go accounting in addition to astatic policy (for example, [1] to [3] of A to C in FIG. 4) such as theuser's affiliation and appointment.

Here, the policy refers to collection of accessibility conditions inwhich whether or not (permission or rejection) who (subject) can performwhich operation (action) on which system resources (resources) isgenerally defined. Further, as an option, it is defined even on anenvironmental condition or a duty condition.

For example, for each element of the above-described policy, the“subject” corresponds to a name, an appointment, an affiliation, or thelike, the “resource” corresponds to the service provider ID, an URL, orthe like, the “action” corresponds to a use start, a use restart, or thelike, and the “environmental condition” corresponds to an IP address ofthe user who makes a certain request, an accessible period of time ortime, or the like. Further, the “duty condition” is a work assigned whena policy (accessibility condition) evaluation result is received, andthe authentication collaboration handling unit 209 executesauthentication collaboration. For example, it is an instruction “arequest for “registering a new user” is permitted, but “ID of idle useris deleted” has to be reliably executed” (for example, [duty condition]of [4] of A in FIG. 4).

The SP user setting rule store (a partial item name storage unit) 204stores a user setting rule 204 a as illustrated in FIG. 5. The usersetting rule 204 a is written such that the service provider ID isassociated with some item names among item names of the user attributeincluded in the user attribute information 201 a stored in the IDP

The key storage unit 205 stores a signature generation key of thesubject device 200. As the signature generation key, for example, of apair of the public key and the secret key in the public keycryptosystem, the secrete key may be used.

The deletion target decision policy store (a deletion target policystorage unit) 206 is referred to by the service use status managing unit212, and stores a deletion target decision policy as illustrated in FIG.6. Specifically, the deletion target decision policy store (a deletiontarget decision policy storage unit) 206 stores a deletion targetdecision policy (deletion target decision policy information) 206 a (206aA, 206 aB, 206 aC, and the like) representing the condition (a deletiontarget condition) of the user for which transmission permission ofservice data is deleted in the service provider device 300 identified bythe service provider ID for each service provider ID as illustrated inFIG. 6.

For example, the deletion target decision policy 206 a describes, as thedeletion target condition, that the last use date and time of the userregistered to the service provider SP(1) is more than half a year ago,that the disk use amount is 5 GB or more, and a department to which theuser belongs is X. The deletion target decision policies of the serviceprovider SP(2) and the service provider SP(3) are similarly described.For example, deletion of the transmission permission of the service datamay be performed such that a deletion target account is deleted from anSP user repository which will be described later or such that a servicedata transmission permission state is changed to a temporary suspensionstate.

The deletion target account store (a deletion target account storageunit) 207 stores a deletion target account (deletion target accountinformation) 207 a which is decided based on the deletion targetdecision policy 206 a, a service use status 202 a, and the userattribute information 201 a by the service use status managing unit 212which will be described later as illustrated in FIG. 7. The deletiontarget account information 207 a is a user ID of a deletion target ineach service provider device 200.

The IDP authentication collaborating unit 208 has an ID providerfunction of the SSO (single sign-on). Specifically, for example, the IDPauthentication collaborating unit 208 has the following functions(f208-1) to (f208-3).

(f208-1): a function of transmitting the log-in request to the userterminal 100 based on the address information of the user terminal 100included in the user authentication request transmitted from theauthentication collaboration handling unit 209 which will be describedlater, and executing the log-in process of performing authentication onuser ID and the user authentication information received from the userterminal 100 based on the user ID and the password included in the IDPuser repository 201.

(f208-2): a function of generating a digital signature based on asignature generation key stored in the key storage unit 205 on anassertion context including the authentication collaboration ID issuedby the IDP account provisioning unit 211 which will be described laterand the authentication scheme name of the log-in process, and generatingan authentication assertion 208 a including the assertion context andthe digital signature as illustrated in FIG. 8.

(f208-3): a function of transmitting the authentication collaborationresponse including the generated authentication assertion 208 a to theservice provider device 300 of the transmission source of anauthentication collaboration request.

The authentication collaboration handling unit 209 receives theauthentication collaboration request from the service provider device300, and then handles a series of processes including a policyevaluation process, an account collaboration process, and an IDPauthentication collaboration process which will be described later.Specifically, the authentication collaboration handling unit 209includes the following functions (f209-1) to (f209-4).

(f209-1): a function of transmitting the user authentication requestincluding the address information of the user terminal 100 included inthe authentication collaboration request to the IDP authenticationcollaborating unit 208 when the authentication collaboration requestincluding the service provider ID of the service provider device 300 andthe address information of the user terminal 100 is transmitted andreceived from the service provider device 300.

(f209-2): a function of transmitting the policy evaluation requestincluding the user ID used in the log-in process and the serviceprovider ID included in the authentication collaboration request to theauthentication collaboration policy evaluating unit 210 when the log-inprocess is successfully performed by the IDP authenticationcollaborating unit 208.

(f209-3): a function of transmitting the account collaboration requestincluding the user ID and the service provider ID included in the policyevaluation request to the IDP account provisioning unit 211 when thedetermination result included in a policy evaluation response receivedfrom the authentication collaboration policy evaluating unit 210represents permission.

(f209-4): a function of transmitting the IDP authenticationcollaboration execution request including the service provider ID andthe user ID included in operation completion included in the accountcollaboration response transmitted from the IDP account provisioningunit 211 to the IDP authentication collaborating unit 208.

The authentication collaboration policy evaluating unit 210 receives thepolicy evaluation request from the authentication collaboration handlingunit 209, and performs policy evaluation based on the authenticationcollaboration policy 203 a which is defined in advance and the user usemanagement table 202 aA. Specifically, the authentication collaborationpolicy evaluating unit 210 has the following functions (f210-1) to(f210-5).

(f210-1): a function of reading the user attribute information 201 afrom the IDP user repository 201 based on the user ID included in thepolicy evaluation request transmitted from the authenticationcollaboration handling unit 209.

(f210-2): a function of reading the authentication collaboration policyinformation203 a from the authentication collaboration policy store 203based on the service provider ID included in the policy evaluationrequest transmitted from the authentication collaboration handling unit209.

(f210-3): a function of reading the service use status information 202 afrom the IDP service use status store 202 based on the user ID includedin the policy evaluation request transmitted from the authenticationcollaboration handling unit 209.

(f210-4): a transmission permission determining function of determiningwhether or transmission of service data is to be permitted according towhether or not the affiliation or appointment included in the read userattribute information 201 a and the read service use status information202 a match the affiliation and appointment represented by the readauthentication collaboration policy 203 a.

(f210-5): a function of transmitting the policy evaluation responseincluding the determination result to the authentication collaborationhandling unit 209 of the transmission source of the policy evaluationrequest.

The IDP account provisioning unit 211 receives the account collaborationrequest from the authentication collaboration handling unit 209, andexecutes account provisioning on the service provider device 300.Specifically, for example, the IDP account provisioning unit 211 has thefollowing functions (f211-1) to (f211-8).

(f211-1): a function of reading some item names of the user attributefrom the SP user setting rule store 204 based on the service provider IDincluded in the transmitted account collaboration request.

(f211-2): a function of reading the deletion target account information207 a from the deletion target account store 207 based on the serviceprovider ID included in the transmitted account collaboration request.

(f211-3): a function of acquiring item names matching corresponding someitem names and user attribute partial information including an itemvalue associated with the item name from the user attribute information201 a including the user ID matching the user ID in the IDP userrepository 201 based on read some item names and the user ID included inan account collaboration request message.

(f211-4): a function of issuing the authentication collaboration IDshared between the service provider device 300 identified by the serviceprovider ID included in the account collaboration request and thesubject device 200.

(f211-5): a function of adding “account registration” to the acquireduser attribute partial information as an operation instruction, adding“account deletion” serving as an operation instruction and the issuedauthentication collaboration ID to the acquired deletion target accountinformation 207 a, and generating an account provisioning request (anaccount collaboration request message).

(f211-6): a function of transmitting the account collaboration requestmessage to the service provider device 300 of the transmission source ofthe authentication collaboration request.

(f211-7): a function of registering the authentication collaboration IDto the user attribute information 201 a included in the IDP userrepository 201 based on the service provider ID and the user ID includedin the operation completion when an operation completion of an SP userrepository 302 including the service provider ID of the service providerdevice and the user ID included in the user attribute partialinformation is notified from the service provider device 300 of thetransmission source of the account collaboration request message.

(f211-8): a function of transmitting the account collaboration responserepresenting the registration completion and the operation completion ofthe user repository to the authentication collaboration handling unit209.

The service use status managing unit 212 includes a service use statusacquiring unit 214 and a deletion target account deciding unit 215.

The service use status acquiring unit 214 transmits a use statusacquisition request to the service provider device 300. Further, theservice use status acquiring unit 214 acquires the use status of theservice provider device 300 transmitted from the service provider device300 based on the use status acquisition request, and updates the SPIDPservice use status store 202 based on the acquired use status.

The deletion target account deciding unit 215 decides a deletion targetaccount based on the acquired use status, the user attribute information201 a, and the deletion target decision policy 206 aA.

When a predetermined time comes, the trigger 213 requests the serviceuse status acquiring unit 214 of the service use status managing unit212 to acquire the use status of the service provider device 300. Inother words, the trigger 213 transmits a use status acquisitionexecution request to the service use status acquiring unit 212.

Upon receiving the use status acquisition execution request, the serviceuse status acquiring unit 214 acquires the service use status from theservice provider device 300. For example, the trigger 213 may be setaccording to a cycle. In other words, the trigger 213 may be an actionthat is performed at predetermined time intervals such as are-connection action of an authentication session between the IDprovider device 200 and the service provider device 300.

Meanwhile, the service provider device 300 provides a service used bythe user, and includes a service data communicating unit 301, the SPuser repository 302, a service data store 303, an SP service use statusstore 304, a verification policy store 305, an SP authenticationcollaborating unit 306, a service use status providing unit 307, and anSP account provisioning unit 308.

The service data communicating unit 301 has a function of transmittingan authentication token included in a service execution request andservice data 303 a in the service data store 303 which will be describedlater to the user terminal 100 based on the service execution requesttransmitted from the SP authentication collaborating unit 306 which willbe described later.

The SP user repository 302 stores identity information of the user usingthe service data to be transmitted by the service data communicatingunit 301. Specifically, the SP user repository (a user attribute partialinformation storage unit) 302 stores user attribute partial information302 a in which some item names are associated with item values based onthe SP user setting rule 204 a among item names and item values of theuser attribute included in the user attribute information 201 a in theIDP user repository 201 is associated with the SP side user IDidentifying the user in the subject device 300 as illustrated in FIG. 9.

The service data store 303 stores the service data 303 a as illustratedin FIG. 10. The service data 303 a is arbitrary data transmitted to theuser terminal 100 as a target of service provision (service datatransmission) by the service provider device 300.

The SP service use status store (a second service use status storageunit) 304 stores service use status information 304 a which is a usestatus of a service provided by the service provider device 300 for eachuser.

In other words, the SP service use status store 304 stores the user usemanagement table 202 aA storing a service use status of each user at theservice provider device 300 side and the in-use number management table202 aB.

As illustrated in FIG. 11, the SP service use status store 304 stores auser use management table 304 aA and an in-use number management table304 aB. The user use management table 304 aA writes the use status ofthe service provider device 300 representing any one of “service in use”representing that transmission of the service data 303 a is permitted,“service unused” representing that transmission of the service data 303a is not permitted, “service use suspension” representing temporarysuspension of transmission permission of service data based on atemporary suspension request received from the user terminal 100, and“service use end” based on the use end request received from the userterminal 100 in association with the user ID.

Further, the use status of the service provider device 300 is stored inassociation with the last use date and time and the disk use amount ofthe user. In addition, the user use management table 304 aA writes theuse status of the user ID for each ID of the ID provider device when aplurality of ID provider devices 200 are provided.

The in-use number management table 202 aB writes the in-use numberrepresenting the number of in-use services represented by the use statusin the user use management table 304 aA in association with an upperlimit value of the in-use number which is set in advance as illustratedin FIG. 11.

The verification policy store 305 stores an authentication assertionverification policy including an authentication scheme name of thelog-in process for permitting transmission of the service data 303 awhen the log-in process is successfully performed and a signatureverification key corresponding to a signature generation key of the IDprovider device 200 as illustrated in FIG. 12. As the signatureverification key, for example, of a pair of the public key and thesecret key in the public key cryptosystem, the public key may be used.

The SP authentication collaborating unit 306 has a service providerfunction of the SSO (single sign-on). Specifically, for example, the SPauthentication collaborating unit 306 has the following functions(f306-1) to (f306-4).

(f306-1): a function of determining whether or not the service requestincludes the authentication token when the service request is receivedfrom the user terminal 100, transmitting the authentication token andthe service data 303 a in the service data store 303 to the userterminal 100 when it is determined that the service request includes theauthentication token, and transmitting the authentication collaborationrequest including the service provider ID of the subject device 300 andthe address information of the user terminal 100 to the ID providerdevice 200 when it is determined that the service request does notinclude the authentication token.

(f306-2): a verification function of verifying each of theauthentication scheme name and the digital signature included in theauthentication assertion 208 a based on the authentication scheme nameand the signature verification key in the authentication assertionverification policy in the verification policy store 305 when theauthentication collaboration response is received from the ID providerdevice 200.

(f306-3): a function of issuing the authentication token when theverification result is all valid.

(f306-4): a function of transmitting the service execution requestincluding the issued authentication token and the address information ofthe user included in the authentication collaboration response receivedfrom the ID provider device 200 to the service data communicating unit301.

Upon receiving a use status acquisition request from the service usestatus acquiring unit 214 of the ID provider device 200, the service usestatus providing unit 307 has a function of searching the SP service usestatus store 304 based on the user ID included in the use statustransmission request, and transmitting the use status of the serviceprovider device 300 obtained by the search.

The SP account provisioning unit 308 performs account provisioning onthe SP user repository 302 based on the account collaboration requestmessage received from the IDP account provisioning unit 211 of the IDprovider device 200. The SP account provisioning unit 308 updates the SPservice use status store 304 based on the account collaboration requestmessage.

Specifically, for example, the SP account provisioning unit 308 has thefollowing functions (f308-1) to (f308-5).

(f308-1): a function of checking operation information included in theaccount collaboration request message when the account collaborationrequest message is received from the IDP account provisioning unit 211of the ID provider device 200, issuing a new SP side user ID when theoperation information is “account registration,” and registering theissued SP side user ID and the user attribute partial information 302 aincluded in the account collaboration request message to the SP userrepository 302 in association with each other.

(f308-2): a function of searching the SP user repository 302 based onthe user ID (the deletion target account) included in the accountcollaboration request message when the operation information included inthe account collaboration request message is “deletion,” and deletingthe user attribute partial information 302 a of the search result.

(f308-3): a function of searching the SP user repository 302 based onthe user ID included in the account collaboration request message whenthe operation information included in the account collaboration requestmessage is “update,” and updating the user attribute partial information302 a of the search result. For example, the operation information“update” means account invalidity, and at this time, the SP accountprovisioning unit 308 searches the SP user repository 302 based on theuser ID included in the account collaboration request message, andchanges a valid flag (not illustrated) included in the user attributepartial information 302 a of the search result to “false.”

Further, the account invalidity may be included in the operationinformation “deletion.”

(f308-4): a function of updating the SP service use status store 304based on the user ID included in the account collaboration requestmessage and the operation information after an operation of the userrepository.

For example, when the operation information is “account registration,”the user ID and the use status “service in use” are written in the useruse management table 304 aA as a new use status. At this time, when thecorresponding user ID is present in the user use management table 304aA, the use status is updated.

Further, when the operation information is “deletion,” the use status ofthe user ID written in the user use management table 304 aA is changedto “service unused.”

(f308-5): a function of notifying the ID provider device 200 which isthe transmission source of the account collaboration request message ofoperation completion including the user ID included in the operated userattribute partial information 302 a and the service provider ID of thesubject device 300 and store update completion after an operation of theSP user repository 302 and update (an SP account operation) of the SPservice use status store 304.

Next, an operation of the authentication collaboration system having theabove-described configuration will be described with reference to FIGS.13 to 23. The following description starts from a state in which asystem environment in which the SSO is possible between the ID providerdevice 200 and the service provider device 300 is given, an account ofthe user belonging to an organization of the ID provider side is notregistered to the service provider device 300, and authentication is notcollaborated yet.

The description will proceed in connection with an example of a typicalprocess in which in this state, when the user makes the service request,the ID provider device 200 determines whether or not the authenticationcollaboration policy 203 a is satisfied, and when it is determined thatthe authentication collaboration policy 203 a is satisfied, the user'saccount is registered to the service provider device 300 side, so thatthe SSO is executed between the ID provider device 200 and the serviceprovider device 300, and the service data 303 a is transmitted from theservice provider device 300.

Thereafter, the description will be divided into service use statusacquisition (S11 to S19) of step S10, user authentication (S21 to S27)of step S20, authentication collaboration policy evaluation (S31 to S36)of step S30, account collaboration (S41 to S49) of step S40, andauthentication collaboration (S51 to S58) of step S50 as illustrated inFIG. 13.

First, service use status acquisition of step S10 of FIG. 13 will bedescribed with reference to a sequence diagram of FIG. 14 and aschematic diagram of FIG. 15.

In step S11, when a preset time comes, the trigger 213 of the IDprovider device 200 requests the service use status managing unit 212 toexecute use status acquisition. In the present embodiment, the trigger213 is set to 12:00, Apr. 1, 2011.

In step S12, upon receiving the use status acquisition execution requestfrom the trigger 213, the service use status acquiring unit 214 of theservice use status managing unit 212 requests the service use statusproviding unit 307 of the service provider device 300 to acquire the usestatus. In the present embodiment, the user status acquisition requestis assumed to be transmitted only to the service provider device 300having the service provider ID of SP (1).

In step S13, the service use status providing unit 307 acquires theservice use status information 304 a from the SP service use statusstore 304 of each service provider device 300, and transmits the serviceuse status information 304 a to the service use status managing unit 212of the ID provider device 200.

In step S14, the service use status acquiring unit 214 of the serviceuse status managing unit 212 updates the IDP service use status store202 based on the received service use status information 304 a of eachservice provider device 300.

In step S15, when the SPIDP service use status store 202 is updatedbased on the received service use status information 304 a, the serviceuse status acquiring unit 214 transmits a deletion target decisionrequest to the deletion target account deciding unit 215.

In step S16, upon receiving the deletion target decision request, thedeletion target account deciding unit 215 acquires the deletion targetdecision policy 206 a from the deletion target decision policy store206.

In step S17, the deletion target account deciding unit 215 acquires theuser attribute information 201 a from the IDP user repository 201.

In step S18, the deletion target account deciding unit 215 decides anaccount of a deletion target based on the user use management table 202aA and the in-use number management table 202 aB updated in step S14,the deletion target decision policy 206 a acquired in step S16, and theuser attribute information 201 a acquired in step S17. Specifically, thedeletion target account deciding unit 215 determines a user satisfyingthe deletion condition represented by the deletion target decisionpolicy 206 a based on the user attribute information 201 a related to apredetermined user and the service use status of the user stored in theuser use management table 202 aA and the in-use number management table202 aB.

For example, an example in which the deletion target account decidingunit 215 determines the user satisfying the deletion conditionrepresented by the deletion target decision policy 206 a based on thedeletion target decision policy 206 aA of FIG. 6 and the user usemanagement table 202 aA and the in-use number management table 202 aB ofFIG. 3 will be described in detail. First, USER_B and USER_N satisfy adeletion condition [1] “last use date and time is more than half a yearago” in SP (1) of the deletion target decision policy 206 aA.

Next, USER_B and USER_N satisfy a deletion condition [2] “disk useamount is 5 GB or more” in SP (1) of the deletion target decision policy206 aA. Next, USER_B satisfies a deletion condition [3] “department towhich user belongs is X” in SP (1) of the deletion target decisionpolicy 206 aA. Thus, USER_B satisfies all of the deletion conditionsrepresented by the deletion target decision policy 206 a and thus isdecided as the deletion target account. Further, when a plurality ofdeletion target accounts are present, all of the deletion targetaccounts are decided as the deletion target account.

In step S19, the deletion target account deciding unit 215 stores thedecided deletion target account in the deletion target account store207.

Here, the user authentication of step S20 of FIG. 13 will be describedwith reference to a sequence diagram of FIG. 16 and a schematic diagramof FIG. 17. The user authentication of step S20 starts when useroperates the user terminal in order to use a service of the serviceprovider device 300 side.

In step S21, when the user operates the user terminal 100 in order touse a service of the service provider device 300 side, the user terminal100 transmits the service request to the service provider device 300.The service provider device 300 catches the service request through theSP authentication collaborating unit 306 that undertakes accessmanagement.

In step S22, upon receiving the service request from the user, the SPauthentication collaborating unit 306 determines whether or not theservice request includes the authentication token. For example, when theservice request from the user is a form of a HTTP request, it is checkedwhether or not the authentication token issued by the service providerdevice 300 is present in a cookie included in the HTTP request.

Further, when it is checked that the authentication token is present,that is, when authentication collaboration is finished, the serviceprovider device 300 provides the user with a service requested throughthe service request. In other words, when it is determined that theservice request includes the authentication token, the SP authenticationcollaborating unit 306 transmits the authentication token and theservice data 303 a in the service data store 303 to the user terminal100 of the service request source through the service data communicatingunit 301. Specifically, the SP authentication collaborating unit 306transmits the service execution request including the authenticationtoken in the service request and the user ID associated with theauthentication token to the service data communicating unit 301.

Meanwhile, when it is determined in step S22 that the service requestdoes not include the authentication token, that is, when authenticationis not collaborated yet, step S23 is executed.

In step S23, the service provider device 300 transmits theauthentication collaboration request to the ID provider device 200. Atthis time, the authentication collaboration request may be transmittedfrom the service provider device 300 to the ID provider device 200directly or through redirecting of the user terminal 100. Theauthentication collaboration request includes the service provider ID ofthe subject device 300 and the address information of the user terminal100.

Here, the service provider device 300 does not collaborate with the IDprovider device 200 which is one ID provider, and thus selection of theID provider is unnecessary. When the service provider device 300collaborates with the ID provider device 200 which is one ID providerand so selection of the ID provider is necessary, the SP authenticationcollaborating unit 306 may transmit an IDP list (not illustrated)listing ID provider IDs representing an ID provider with which arelation of trust is established in advance to the user terminal 100 inorder to cause the user to select the ID provider to which the userbelongs. At this time, the user terminal 100 displays the IDP listreceived from the service provider device 300, and urges the user toselect the ID provider to which the user belongs. Thereafter, the userterminal 100 transmits the selected ID provider ID to the serviceprovider device 300 according to the user's operation.

In step S24, the authentication collaboration handling unit 209 of theID provider device 200 analyzes a message directed to the ID providerdevice 200, starts an authentication collaboration process when it ischecked that the message is the authentication collaboration request,and transmits the user authentication request including the addressinformation of the user terminal 100 in the authentication collaborationrequest to the IDP authentication collaborating unit 208. However, whenit is checked that the message is not the authentication collaborationrequest, the message is re-transmitted to a destination desired by theservice provider device 300 through intervention of the authenticationcollaboration handling unit 209.

In step S25, upon receiving the user authentication request, the IDPauthentication collaborating unit 208 executes the log-in process foridentification and authentication of the user based on the userauthentication request. In the log-in process, the IDP authenticationcollaborating unit 208 transmits the log-in request to the user terminal100 based on the address information of the user terminal 100 includedin the transmitted user authentication request, and authenticates theuser ID and the user authentication information received from the userterminal 100 based on the user ID and the password in the IDP userrepository 201. In the present embodiment, authentication is assumed tobe performed based on a user ID “USER_A” and a password “PASS_A”received from the user terminal 100, and the user authentication isassumed to be successfully performed.

In step S26, the IDP authentication collaborating unit 208 determineswhether or not account information of the user that has successfullylogged in is present in the deletion target account store 207, anddeletes the corresponding account from the deletion target account store207 when information of the account that has successfully logged in ispresent. In the present embodiment, since “USER_A” does not remainregistered to the deletion target account store 207, the deletion targetaccount store 207 is not updated.

In step S27, when the log-in process of step S25 is successfullyperformed, the IDP authentication collaborating unit 208 transmits auser authentication completion (log-in completion) message including theuser ID used in the log-in process and information representingauthentication success to the authentication collaboration handling unit209.

Through the above process, the user authentication (S21 to S27) of stepS20 ends.

Next, in the authentication collaboration policy evaluation of step S30,after the user authentication ends, authentication collaboration policyevaluation is performed using the user use management table 202 aA, thein-use number management table 202 aB, the user attribute information201 a, and the authentication collaboration policy 203 a as inputvalues, and permission is given on the service request of the user.Thereafter, the authentication collaboration policy evaluation of stepS30 will be described with reference to a sequence diagram of FIG. 18and a schematic diagram of FIG. 19.

In step S31, the authentication collaboration handling unit 209 analyzesthe user authentication completion message transmitted in step S27, andchecks that the log-in process has been successfully performed. When thelog-in process has been successfully performed, the authenticationcollaboration handling unit 209 transmits the policy evaluation requeston the user's service request to the authentication collaboration policyevaluating unit 210. The policy evaluation request includes the user IDacquired in the log-in process of step S25, that is, the user's IDPaccount and the service provider ID in the authentication collaborationrequest.

Thereafter, through steps S32 to S34, the authentication collaborationpolicy evaluating unit 210 collects information necessary for evaluationof the authentication collaboration policy 203 a.

In step S32, the authentication collaboration policy evaluating unit 210reads the service use status 202 a from the IDP service use status store202 based on the user ID and the service provider ID included in thepolicy evaluation request. However, step S32 is not performed whenstatic policy evaluation is executed.

Hereinafter, the user ID read in step S32 is assumed to be USER_A, andthe service provider device 300 requested by the user is assumed to beSP (1).

In step S33, the authentication collaboration policy evaluating unit 210reads the user attribute information 201 a from the IDP user repository201 based on the user ID included in the policy evaluation request.

In step S34, the authentication collaboration policy evaluating unit 210reads the authentication collaboration policy 203 a from theauthentication collaboration policy store 203 based on the serviceprovider ID included in the policy evaluation request. In the presentembodiment, among the authentication collaboration policies 203 a ofFIG. 4, a first authentication collaboration policy (a policy when SP(1) is used) 203 aA related to A in FIG. 4 is read as a search result.

In step S35, when static policy evaluation is executed, theauthentication collaboration policy evaluating unit 210 performs thepolicy evaluation process of determining whether or not transmission ofthe service data 303 a is to be permitted according to whether or not anaffiliation and appointment included in the user attribute information201 a read in step S33 match an affiliation and appointment representedby the authentication collaboration policy 203 aA read in step S34.

However, when active policy evaluation is executed using the user usemanagement table 202 aA of step S32, policy evaluation is executed basedon the service use status 202 a, the user attribute information 201 a,and the authentication collaboration policy 203 aA acquired throughsteps S32, S33, and S34.

For example, policy evaluation of step S35 will be described inconnection with the use of SP (1) represented by the authenticationcollaboration policy 203 aA. The service use conditions of [1] to [4]are defined in the authentication collaboration policy 203 aA in advance([4] is not defined in case of static policy evaluation), and it ischecked whether or not the collected user use management table 202 aAand the user attribute information 201 a all satisfy the service useconditions as follows. As a result, permission is given on the user'sservice request.

[1] of the authentication collaboration policy 203 aA: theauthentication collaboration policy 203 a represents that a departmentto which the user belongs is X. To this, as illustrated in FIG. 2, adepartment of USER_A in the user attribute information 201 a is “Xdepartment.” Thus, USER_A satisfies the condition of [1] in theauthentication collaboration policy 203 a.

[2] of the authentication collaboration policy 203 aA: theauthentication collaboration policy 203 a represents that a division towhich the user belongs is Y. To this, as illustrated in FIG. 2, adivision of USER_A in the user attribute information 201 a is “Ydivision.” Thus, USER_A satisfies the condition of [2] in theauthentication collaboration policy 203 a.

[3] of the authentication collaboration policy 203 aA: theauthentication collaboration policy 203 a represents that the user'sappointment is an appointment of Z or more. To this, as illustrated inFIG. 2, an appointment of USER_A in the user attribute information 201 ais “Z appointment.” Thus, the condition of [3] in the authenticationcollaboration policy 203 a is satisfied.

[4] of the authentication collaboration policy 203 aA: theauthentication collaboration policy 203 a represents that the number ofin-use accounts is not larger than an upper limit value. To this, asillustrated in FIG. 3, the current in-use number of SP (1) in the in-usenumber management table 202 aB is 10 and not larger than the upper limitvalue, that is, 100. Thus, the condition of [4] in the authenticationcollaboration policy 203 a is satisfied.

As described above, authentication collaboration policy evaluation onthe user's service request is performed using the user use managementtable 202 aA, the in-use number management table 202 aB, and the userattribute information 201 a based on the authentication collaborationpolicy 203 a which is defined in advance. Further, when it is checkedthat any one of the above conditions is not satisfied, theauthentication collaboration policy evaluation result becomes rejection.

In other words, the authentication collaboration policy evaluating unit210 determines whether or not transmission of service data is to bepermitted according to whether or not the read user attributeinformation 201 a, the type of service that the user desires to use, anoperation of service that the user desires to make, and the user'senvironmental condition when a service is executed are suitable for theread authentication collaboration policy 203 a.

In step S36, the authentication collaboration policy evaluating unit 210transmits the policy evaluation result including the determinationresult of step S35 to the authentication collaboration handling unit 209as the policy evaluation response. Through the above process, theauthentication collaboration policy evaluation (S31 to S36) of step S30ends.

In the account collaboration of step S40, based on the policy evaluationresponse (in case of permission of service data transmission) acquiredby the authentication collaboration policy evaluation of step 30, theuser's account is generated on the SP user repository 302 of the serviceprovider device 300, and account collaboration necessary as the advancepreparation of the SSO is realized between the ID provider device 200and the service provider device 300. Hereinafter, the description willproceed with reference to a sequence diagram of FIG. 20 and a schematicdiagram of FIG. 21.

In step S41, the authentication collaboration handling unit 209 checksthe policy evaluation result included in the policy evaluation responsetransmitted in step S36, and transmits the account collaboration requestincluding the user ID and the service provider ID in the policyevaluation request to the IDP account provisioning unit 211 when thepolicy evaluation response represents permission on the service request.Further, when the policy evaluation response represents rejection on theservice use, information representing service use rejection istransmitted to the user terminal 100. Here, steps S42 to 49 will bedescribed in connection with an example in which the policy evaluationresponse represents permission.

In step S42, the IDP account provisioning unit 211 reads the usersetting rule 204 a from SP user setting rule store 204 based on theservice provider ID (here, SP (1)) included in the received accountcollaboration request. For example, the user setting rule 204 a is anitem name (some item names of the user attribute) of a necessary userattribute or the like obtained for each the service provider device 300when the ID provider device 200 performs account registration on theservice provider device 300. Here, the IDP account provisioning unit 211is assumed to read some item names of the user attribute as the usersetting rule 204 a.

In step S43, the IDP account provisioning unit 211 searches a deletiontarget account related to SP (1) from the deletion target account store207.

Further, it is determined whether or not the number of users of theservice provider ID (here, SP (1)) in the account collaboration receivedin the service use status information acquired from the IDP service usestatus store 202 by the authentication collaboration policy evaluatingunit 210 in step S32 reaches the upper limit, and when the number ofusers of SP (1) reaches the upper limit, the search of step S43 may beperformed. At this time, when the static policy evaluation is executedin step S32 and the service use status acquisition is not performed, theIDP provisioning unit 211 acquires the service use status from the IDPservice use status store 202 before step S43.

In the present embodiment, since USER_B remains registered to thedeletion target account store 207 as the deletion target account relatedto SP (1) as illustrated in FIG. 7, USER_B is here the search result.Further, when a plurality of deletion target accounts are present, oneuser ID may be deleted, or all user IDs may be deleted.

In step S44, based on some item names read in step S42 and the user IDincluded in the account collaboration request, the IDP accountprovisioning unit 211 acquires necessary user attribute information(hereinafter, referred to as “user attribute partial information)including item names matching some item names and item values associatedwith the corresponding item names from the user attribute information201 a including the user ID matching the user ID in the IDP userrepository 201.

In step S45, the IDP account provisioning unit 211 generates an SPaccount collaboration request message by adding “account registration”to the user attribute partial information acquired in step S44 as anoperation instruction and adding a “deletion” instruction to thedeletion target account acquired in step S43 as an operationinstruction, and transmits the generated account collaboration requestmessage to the SP account provisioning unit 308 of the service providerdevice 300. The IDP account provisioning unit 211 issues anauthentication collaboration ID and includes the authenticationcollaboration ID in the account collaboration request message.

For example, the operation instruction included in the accountcollaboration request message is an operation type of the SP userrepository 302 based on an operation interface opened by the SP accountprovisioning unit 308, and includes deletion, account registration,account update, and the like. In the present embodiment, since theuser's account does not remain registered to the service provider device300 side, in step S45, “account registration” is designated as theoperation instruction.

Further, the IDP account provisioning unit 211 issues the authenticationcollaboration ID shared between the service provider device 300 to whichthe SP account collaboration request message is transmitted and thesubject device 200, and includes the authentication collaboration ID inthe SP account collaboration request message.

In step S46, the SP account provisioning unit 308 operates the SP userrepository 302 based on the received account collaboration requestmessage. Specifically, when the operation instruction included in thereceived account collaboration request message is “accountregistration,” the SP account provisioning unit 308 newly issues an SPside user ID (the user ID of the service provider device 300 side), andregisters the SP side user ID and the user attribute partial informationincluded in the SP account collaboration request message to the SP userrepository 302 in association with each other. At this time, the SPaccount provisioning unit 308 also registers the authenticationcollaboration ID included in the account collaboration request message.

In step S46, when the operation instruction is “deletion,” the SPaccount provisioning unit 308 searches the user attribute partialinformation 302 a in the SP user repository 302 based on the deletiontarget account included in the account collaboration request message,and deletes the user attribute partial information 302 a including theuser ID matching the deletion target account.

In step S47, the SP account provisioning unit 308 updates the SP serviceuse status store 304 based on the received account collaboration requestmessage. Specifically, when the operation instruction included in thereceived account collaboration request message is “accountregistration,” the SP account provisioning unit 308 registers the userID included in the user attribute partial information in the accountcollaboration request message, the service use status “service in use,”the last use date and time, and the disk use amount to the user usemanagement table 304 aA of the SP service use status store 304 inassociation with one another, counts the number of user IDs of “servicein use”, and updates the current in-use number of the in-use numbermanagement table 304 aB.

Further, when the operation instruction included in the received accountcollaboration request message is “deletion,” the SP account provisioningunit 308 searches the SP service use status store 304 based on thedeletion target account included in the account collaboration requestmessage, and changes the service use status included in the service usestatus information 304 a of the search result to “service usesuspension.”

After the user repository operation of step S46 and the update of theservice use status store 202 of step S47, the SP account provisioningunit 308 notifies the ID provider device 200 which is the transmissionsource of the account collaboration request message of the operationcompletion including the registered user ID in the user attributepartial information 302 a and the service provider ID of the subjectdevice. Specifically, the IDP account provisioning unit 211 of the IDprovider device 200 is notified of the operation completion.

In step S48, the IDP account provisioning unit 211 registers theauthentication collaboration ID issued in step S45 to a USER_A record ofthe IDP user repository 201 a.

In step S49, the IDP account provisioning unit 211 transmits the accountcollaboration response representing the operation completion notified instep S47 to the authentication collaboration handling unit 209.

Through the above-described process, the account collaboration (S41 toS49) of step S40 ends.

In the authentication collaboration of step S50, after the accountcollaboration ends, the authentication collaboration, that is, the SSOis performed between the ID provider device 200 and the service providerdevice 300. Hereinafter, the authentication collaboration of step S50will be described with reference to a sequence diagram of FIG. 22 and aschematic diagram of FIG. 23.

In step S51, the authentication collaboration handling unit 209 analyzesthe authentication result included in the account collaboration responsenotified in step S49. When there is not a problem in the result, theauthentication collaboration handling unit 209 transmits theauthentication collaboration execution request including the serviceprovider ID and the user ID included in the operation completion of theaccount collaboration response to the IDP authentication collaboratingunit 208.

In step S52, upon receiving the authentication collaboration executionrequest, the IDP authentication collaborating unit 208 searches the IDPuser repository based on the user ID included in the authenticationcollaboration execution request, and acquires the authenticationcollaboration ID.

In step S53, the IDP authentication collaborating unit 208 generates anassertion context including the authentication collaboration ID acquiredin step S52 and the authentication scheme name of the log-in processperformed in step S25. Further, the IDP authentication collaboratingunit 208 generates a digital signature on the assertion context based onthe signature generation key in the key storage unit 205. In addition,the IDP authentication collaborating unit 208 generates theauthentication assertion 208 a including the assertion context and thedigital signature.

In step S54, the IDP authentication collaborating unit 208 transmits theauthentication collaboration response including the generatedauthentication assertion 208 a and the user ID included in the receivedauthentication collaboration execution request to the service providerdevice 300 of the transmission source of the authenticationcollaboration request. The authentication collaboration response isreceived by the SP authentication collaborating unit 306 of the serviceprovider device 300.

In step S55, the SP authentication collaborating unit 306 verifies eachof the authentication scheme name included in the authenticationassertion 208 a and the digital signature based on the authenticationscheme name and the signature verification key in the authenticationassertion verification policy 306. As a result, the SP authenticationcollaborating unit 306 determines whether or not the authenticationresult of the ID provider device 200 is reliable based on theauthentication assertion 208 a issued by the ID provider device 200, anddetermines whether or not service data transmission (service provision)to the user is to be permitted. In the present embodiment, theverification result is assumed to be valid, and it is decided thatservice data transmission is permitted.

In step S56, when permission is decided in step S55, the SPauthentication collaborating unit 306 issues the authentication token.The authentication token may be stored in a temporary storage unit (notillustrated) of the service provider device 300 in association with theauthentication collaboration ID and the user ID.

In step S57, the SP authentication collaborating unit 306 transmits theservice execution request including the authentication token issued instep S56 and the user ID associated with the authentication token usingthe authentication collaboration ID to the service data communicatingunit 301.

In step S58, the service data communicating unit 301 transmits theauthentication token in the service execution request and the servicedata 303 a in the service data store 303 to the user terminal 100 basedon the transmitted service execution request.

As described above, according to the authentication collaboration systemof the present embodiment, the authentication collaboration handlingunit 209 arranged in the ID provider device 200 intercepts theauthentication collaboration request from the service provider device300 on the service request from the user to the service provider device300, and determines whether or not the service data 303 a is to betransmitted based on the authentication collaboration policy 203 a whichis defined in advance. Then, when the determination result representspermission, the user's account is generated on the SP user repository302 managed in the service provider device 300 using the user attributeinformation 201 a managed in the ID provider device 200. Thereafter,each of the ID provider device 200 and the service provider device 300performs the authentication collaboration process of the related art,and a desired service is provided from the service provider device 300to the user.

In addition, in the authentication collaboration system of the relatedart, the service provider checks that information sufficient to registeran account is not held and requests the ID provider to provide aninsufficient user attribute, and thus a great deal of time and effort isrequired, and the checking and requesting are manually performed.However, in the authentication collaboration system of the presentembodiment, due to the configuration in which the authenticationcollaboration policy 203 a is stored in advance, the checking andrequesting are not manually performed as in the related art.

Further, in the authentication collaboration system of the presentembodiment, the use status acquisition process of acquiring the usestatus of the service provider device 300 by the ID provider device 200,which generally takes a long time, is not performed at a timing of theSSO but performed in advance. Thus, the standby time when the user logsin does not increase, and the user's burden can be reduced. Further,since the decision of the deletion target account is performed inadvance, the user's burden can be further reduced.

Thus, even in a state in which the user's account does not remainregistered to the service provider device 300 side, it is automaticallydetermined whether or not the service data 303 a is to be transmittedbased on the authentication collaboration policy 203 a defined inadvance at the ID provider device 200 side at the user's servicerequest, that is, at an SSO execution timing. Thus, it is possible toprovide the user with a seamless service use without requiring a manualoperation and taking a long time.

Further, according to the authentication collaboration system of thepresent embodiment, in the service use provided under the distributedenvironment such as the Internet, a series of processes from the serviceuse request to the SSO (single sign-on) are automated based on theservice use policy and the service use status which are defined inadvance, and thus the user can smoothly start the service use.

The exemplary embodiments of the present invention have been describedabove, but the above embodiments are merely examples, and do not intendto limit the scope of the invention. The novel embodiments can beimplemented in various forms, and omissions, replacements, or changescan be made within the range not departing from the gist of theinvention. The embodiments or the modifications thereof are included inthe scope or the gist of the invention, and included in the rangeequivalent to the inventions set forth in claims.

For example, in the present embodiment, the ID provider device 200 sideincludes the trigger for requesting the use status acquisition process,but the trigger may be arranged at the service provider device 300 side.When the service provider device 300 side includes the trigger, in theservice of step S10 in step S10 of FIG. 13, for example, the triggerdetermines whether or not the service use status registered to the SPservice use status store 304 has been changed, and transmits the serviceuse status acquisition execution request to the service use statusproviding unit 307 when it is determined that the service use status hasbeen changed (step S11). Step S12 is not performed, and in step S13, theservice use status providing unit 307 that has received the use statusacquisition execution request acquires the service use status from theSP service use status store 304. Thereafter, the process of steps S14 toS19 is performed.

In this case, since there occurs no difference between the SP serviceuse status store 304 and the IDP service use status store 202, theaccurate policy evaluation based on the service use status can beperformed.

Further, in the authentication collaboration system of the presentembodiment, in the service use status acquisition of step S10 started bythe trigger 213, since the decision of the deletion target account isperformed in step S15, the deletion of the deletion target account isperformed in the account collaboration of step S40. It is because thisdelays an operation such as deletion of an account as much as possible.

However, in order to give priority to improvement in a response time atthe time of the SSO, the deletion of the deletion target account may beperformed in the service use status acquisition of step S10. In otherwords, after the deletion target account decision of step S15, anaccount deletion message may be transmitted to the service providerdevice 300. In this case, in the account collaboration of step S40, onlyaccount registration is performed.

Further, for example, the update of the SP service use status store 304of step S47 may be performed with reference to the user attributepartial information 302 a stored in the SP user repository 302 atpredetermined time intervals and may not be performed during the SSOprocess. As a result, the log-in standby time of the user can bereduced. At this time, the predetermined time interval for the update ofthe SP service use status store 304 is set to be smaller than apredetermined time interval set to the trigger for starting the serviceuse status acquisition.

The technique described in the above embodiments may be stored in astorage medium such as a magnetic disk (such as a floppy (a registeredtrademark) disk) or a hard disk), an optical disk (such as a CD-ROM or aDVD), a magnetic optical (MO) disk, or a semiconductor memory anddistributed as a program executable by a computer.

Here, any computer readable storage medium capable of storing a programmay be used as the storage medium regardless of a storage formatthereof.

Further, an operating system (OS), database management software, amiddleware such as network software, or the like which operates on acomputer based on an instruction of a program installed in a computerfrom a storage medium may be executed as a part of each process forimplementing the present embodiment.

Further, in the present embodiment, the storage medium is not limited toa medium independent of a computer, and also includes a storage mediumin which a program transmitted via a LAN or the Internet is downloadedand stored or temporarily stored.

Further, the number of storage media is not limited to one, and evenwhen the process of the present embodiment is executed through aplurality of media, the media are included as the storage medium of thepresent embodiment, and a medium may have any configuration.

Further, in the present embodiment, a computer executes each processaccording to the present embodiment based on a program stored in thestorage medium, and may have a configuration of a device configured witha personal computer or a configuration of a system in which a pluralityof devices are connected via a network.

Further, each storage unit of the present embodiment may be implementedby a single storage device or a plurality of storage devices.

Furthermore, in the present embodiment, the computer is not limited tothe personal computer, includes an arithmetic processing unit, amicrocomputer, or the like included in an information processing device,and is a general term of equipment or a device capable of implementingthe function of the present embodiment through a program.

DESCRIPTION OF THE REFERENCE NUMERALS

100: user terminal

200: ID provider device

201: IDP user repository

202: IDP service use status store

203: authentication collaboration policy store

204: SP user setting rule store

205: key storage unit

206: deletion target decision policy store

207: deletion target account store

208: IDP authentication collaborating unit

209: authentication collaboration handling unit

210: authentication collaboration policy evaluating unit

211: IDP account provisioning unit

212: service use status managing unit

213: trigger

214: service use status acquiring unit

215: deletion target account deciding unit

300: service provider device

301: service data communicating unit

302: SP user repository

303: service data store

304: SP service use status store

305: verification policy store

306: SP authentication collaborating unit

307: service use status providing unit

308: SP account provisioning unit

The invention claimed is:
 1. An authentication collaboration system,comprising an ID provider device that performs a log-in process on auser terminal operated by a user; and a service provider device thattransmits service data to the user terminal when the log-in process iscompleted, wherein the user terminal transmits a service use request tothe service provider device, the ID provider device includes an IDP userrepository that stores user attribute information in which an item nameof a user attribute specifying the user is associated with an item valueof the user attribute, the user attribute information including a userID identifying the user, an IDP service use status store that storesservice use status information in which the user ID, a service providerID identifying the service provider device, and a use status of theservice provider device are associated with one another, anauthentication collaboration policy store that stores authenticationcollaboration policy information representing a user which is a targetto which transmission of service data by the service provider deviceidentified by the service provider ID is permitted for each serviceprovider ID, an SP user setting rule store that stores the serviceprovider ID in association with some item names among item names of auser attribute in the user attribute information, a deletion targetdecision policy store that stores deletion target decision policyinformation representing a user which is a target in which transmissionpermission of service data is deleted in a service provider deviceidentified by the service provider ID for each service provider ID, aservice use status acquiring unit that acquires service use statusinformation transmitted from the service provider device when apredetermined cycle comes or when the use status of the service providerdevice is changed, and updates the IDP service use status store based onthe acquired service use status information, a deletion target accountdeciding unit that decides a deletion target account of each serviceprovider ID included in the service use status information based on theuser attribute information, the service use status information, and thedeletion target decision policy information, an authenticationcollaboration handling unit that transmits a user authentication requestincluding address information of a user terminal in the authenticationcollaboration request when an authentication collaboration requestincluding the service provider ID of the service provider device and theaddress information of the user terminal is received from the serviceprovider device that has received the service use request, an IDPauthentication collaboration unit that transmits a log-in request to theuser terminal based on the address information of the user terminal inthe transmitted user authentication request, and executes a log-inprocess of authenticating the user ID and the user authenticationinformation received from the user terminal based on a user ID and apassword in the IDP user repository, wherein the authenticationcollaboration handling unit transmits a policy evaluation requestincluding the user ID used in the log-in process and the serviceprovider ID in the authentication collaboration request when the log-inprocess is successfully performed, an authentication collaborationpolicy evaluating unit that reads the user attribute information fromthe IDP user repository based on the user ID in the transmitted policyevaluation request, reads the authentication collaboration policyinformation from the authentication collaboration policy store based onthe service provider ID in the transmitted policy evaluation request,determines whether or not transmission of service data is to bepermitted based on the read authentication collaboration policyinformation and the read user attribute information, and transmits apolicy evaluation response including a determination result to atransmission source of the policy evaluation request, wherein theauthentication collaboration handling unit transmits the accountcollaboration request including the user ID and the service provider IDin the policy evaluation request when the determination result in thepolicy evaluation response represents permission, an IDP accountprovisioning unit that reads some item names of a user attribute fromthe SP user setting rule store based on the service provider ID in thetransmitted account collaboration request, acquires user attributepartial information including item names matching some item names anditem values associated with the item names from the user attributeinformation including a user ID matching a user ID in the IDP userrepository based on read some item names and the user ID in the accountcollaboration request, acquires a deletion target account from thedeletion target account decided by the deletion target account decidingunit based on the service provider ID in the transmitted accountcollaboration request, generates an account collaboration requestmessage by adding an account registration instruction to the acquireduser attribute partial information as an operation instruction andadding an account deletion instruction or an account invalidatinginstruction to the acquired deletion target account as an operationinstruction, transmits the account collaboration request message to aservice provider device of a transmission source of the authenticationcollaboration request, and transmits an account collaboration responserepresenting operation completion when operation completion includingthe service provider ID of the service provider device and the addressinformation of the user terminal in the user attribute partialinformation is notified from a service provider device of a transmissiondestination of the account collaboration request message, wherein theauthentication collaboration handling unit transmits an authenticationcollaboration execution request including the service provider IDincluded in the operation completion in the transmitted accountcollaboration response and the user ID, and wherein the IDPauthentication collaboration unit transmits an authenticationcollaboration response including the user ID in the authenticationcollaboration execution request to the service provider device of thetransmission source of the authentication collaboration request when theauthentication collaboration execution request is received, and theservice provider device includes an SP user repository that stores userattribute partial information in which some item names and item valuesare associated with each other among item names and item values of auser attribute in the user attribute information in the IDP userrepository in association with an SP side user ID identifying the userin the service provider device, a service data store that stores theservice data, an SP service use status store that stores the user ID inassociation with the use status of the service provider device, aservice use status providing unit that acquires the use status of theservice provider device from the SP service use status store, andtransmitting the acquired use status to the ID provider device, an SPauthentication collaboration unit that determines whether or not theservice request includes an authentication token when the servicerequest is received from the user terminal, transmits the authenticationtoken and service data in the service data store to the user terminalwhen it is determined that the service request includes anauthentication token, and transmits the authentication collaborationrequest to the ID provider device when it is determined that the servicerequest does not include an authentication token, an SP accountproviding unit that issues a new SP side user ID and registers theissued SP side user ID and the user attribute partial information in theaccount collaboration request message to the SP user repository inassociation with each other when the account collaboration requestmessage is received, and the operation instruction included in theaccount collaboration request message represents the accountregistration, searches the SP user repository based on the deletiontarget account in the account collaboration request message and deletesthe user attribute partial information including the user ID matchingthe deletion target account when the operation instruction included inthe account collaboration request message represents the accountdeletion, and notifies the ID provider device of the transmission sourceof the account collaboration request message of update completionincluding the registered user ID in the user attribute partialinformation or the deleted user ID in the user attribute partialinformation and the service provider ID of the service provider deviceafter the registration or the deletion, wherein the SP authenticationcollaboration unit performs verification of the authenticationcollaboration response when the authentication collaboration response isreceived from the ID provider device, issuing the authentication tokenwhen a verification result represents permission, and transmits theservice execution request including the user ID included in theauthentication collaboration response and the authentication token, andtransmits the authentication token in the service execution request andservice data in the service data store to the user terminal based on thetransmitted service execution request.
 2. The authenticationcollaboration system according to claim 1, wherein the authenticationcollaboration policy evaluating unit determines whether or nottransmission of service data is to be permitted based on the service usestatus information.
 3. The authentication collaboration system accordingto claim 1 or claim 2, wherein the service account provisioning unitinvalidates the user attribute partial information when the deletiontarget account matches the user ID included in the user attributepartial information.
 4. The authentication collaboration systemaccording to any one of claims 1 or 2, wherein the service providerdevice transmits the use status to the ID provider device when the usestatus of the service provider device stored in the SP service usestatus store changes.
 5. An ID provider device that is connected with aservice provider device transmitting service data to a user terminaloperated by a user to configure an authentication collaboration system,transmits a service use request to the service provider device, andperforms a log-in process on the user terminal, the ID provider devicecomprising: an IDP user repository that stores user attributeinformation in which an item name of a user attribute specifying theuser is associated with an item value of the user attribute, the userattribute information including a user ID identifying the user; an IDPservice use status store that stores service use status information inwhich the user ID, a service provider ID identifying the serviceprovider device, and a use status of the service provider device areassociated with one another; an authentication collaboration policystore that stores authentication collaboration policy informationrepresenting a user which is a target to which transmission of servicedata by the service provider device identified by the service providerID is permitted for each service provider ID; an SP user setting rulestore that stores the service provider ID in association with some itemnames among item names of a user attribute in the user attributeinformation; a deletion target decision policy store that storesdeletion target decision policy information representing a user which isa target in which transmission permission of service data is to bedeleted in a service provider device identified by the service providerID for each service provider ID; a service use status acquiring unitthat transmits a use status acquisition request to the service providerdevice, acquires service use status information transmitted from theservice provider device based on the use status acquisition request, andupdates the IDP service use status store based on the acquired serviceuse status information; a deletion target account deciding unit thatdecides a deletion target account of each service provider ID includedin the service use status information based on the user attributeinformation, the service use status information, and the deletion targetdecision policy information; an authentication collaboration handlingunit that transmits a user authentication request including addressinformation of a user terminal in the authentication collaborationrequest when an authentication collaboration request including theservice provider ID of the service provider device and the addressinformation of the user terminal is received from the service providerdevice that has received the service use request; IDP authenticationcollaboration unit that transmits a log-in request to the user terminalbased on the address information of the user terminal in the transmitteduser authentication request, and executes a log-in process ofauthenticating the user ID and the user authentication informationreceived from the user terminal based on a user ID and a password in theIDP user repository; wherein the authentication collaboration handlingunit transmits a policy evaluation request including the user ID used inthe log-in process and the service provider ID in the authenticationcollaboration request when the log-in process is successfully performed,an authentication collaboration policy evaluating unit that reads theuser attribute information from the IDP user repository based on theuser ID in the transmitted policy evaluation request, reads theauthentication collaboration policy information from the authenticationcollaboration policy store based on the service provider ID in thetransmitted policy evaluation request, determines whether or nottransmission of service data is to be permitted based on the readauthentication collaboration policy information and the read userattribute information, and transmits a policy evaluation responseincluding a determination result to a transmission source of the policyevaluation request; wherein the authentication collaboration handlingunit transmits the account collaboration request including the user IDand the service provider ID in the policy evaluation request when thedetermination result in the policy evaluation response representspermission, an IDP account provisioning unit that reads some item namesof a user attribute from the SP user setting rule store based on theservice provider ID in the transmitted account collaboration request,acquires user attribute partial information including item namesmatching some item names and item values associated with the item namesfrom the user attribute information including a user ID matching a userID in the IDP user repository based on read some item names and the userID in the account collaboration request, acquires a deletion targetaccount from the deletion target account decided by the deletion targetaccount deciding unit based on the service provider ID in thetransmitted account collaboration request, generates an accountcollaboration request message by adding an account registrationinstruction to the acquired user attribute partial information as anoperation instruction and adding an account deletion instruction or anaccount invalidating instruction to the acquired deletion target accountas an operation instruction, transmits the account collaboration requestmessage to a service provider device of a transmission source of theauthentication collaboration request, and transmits an accountcollaboration response representing operation completion when operationcompletion including the service provider ID of the service providerdevice and the address information of the user terminal in the userattribute partial information is notified from a service provider deviceof a transmission destination of the account collaboration requestmessage; wherein the authentication collaboration handling unittransmits an authentication collaboration execution request includingthe service provider ID included in the operation completion in thetransmitted account collaboration response and the user ID, and whereinthe IDP authentication collaboration unit transmits an authenticationcollaboration response including the user ID in the authenticationcollaboration execution request to the service provider device of thetransmission source of the authentication collaboration request when theauthentication collaboration execution request is received.
 6. Anon-transitory computer readable medium for causing a computer toperform operations of an ID provider device that is connected with aservice provider device transmitting service data to a user terminaloperated by a user to configure an authentication collaboration system,transmits a service use request to the service provider device, andperforms a log-in process on the user terminal, the operationscomprising: a function of storing user attribute information in which anitem name of a user attribute specifying the user is associated with anitem value of the user attribute, the user attribute informationincluding a user ID identifying the user; a function of storingauthentication collaboration policy information representing a userwhich is a target to which transmission of service data by the serviceprovider device identified by the service provider ID is permitted foreach service provider ID; a function of storing the service provider IDin association with some item names among item names of a user attributein the user attribute information; a function of storing deletion targetdecision policy information representing a user which is a target inwhich transmission permission of service data is to be deleted in aservice provider device identified by the service provider ID for eachservice provider ID; a function of transmitting a use status acquisitionrequest to the service provider device, acquiring service use statusinformation transmitted from the service provider device based on theuse status acquisition request, and storing service use statusinformation in which the user ID, a service provider ID identifying theservice provider device, and a use status of the service provider deviceare associated with one another based on the acquired service use statusinformation; a function of deciding a deletion target account of eachservice provider ID included in the service use status information basedon the user attribute information, the service use status information,and the deletion target decision policy information; a function oftransmitting a user authentication request including address informationof a user terminal in the authentication collaboration request when anauthentication collaboration request including the service provider IDof the service provider device and the address information of the userterminal is received from the service provider device that has receivedthe service use request; a function of transmitting a log-in request tothe user terminal based on the address information of the user terminalin the transmitted user authentication request, and executing a log-inprocess of authenticating the user ID and the user authenticationinformation received from the user terminal based on a user ID and apassword of the user attribute information; a function of transmitting apolicy evaluation request including the user ID used in the log-inprocess and the service provider ID in the authentication collaborationrequest when the log-in process is successfully performed; a function ofreading the user attribute information based on the user ID in thetransmitted policy evaluation request; a function of reading theauthentication collaboration policy information based on the serviceprovider ID in the transmitted policy evaluation request; a function ofdetermining whether or not transmission of service data is to bepermitted based on the read authentication collaboration policyinformation and the read user attribute information; a function oftransmitting a policy evaluation response including a determinationresult to a transmission source of the policy evaluation request; afunction of transmitting the account collaboration request including theuser ID and the service provider ID in the policy evaluation requestwhen the determination result in the policy evaluation responserepresents permission; a function of reading some item names of a userattribute based on the service provider ID in the transmitted accountcollaboration request; a function of acquiring user attribute partialinformation including item names matching some item names and itemvalues associated with the item names from the user attributeinformation including a user ID matching a user ID based on read someitem names and the user ID in the account collaboration request; afunction of acquiring a deletion target account from the decideddeletion target account based on the service provider ID in thetransmitted account collaboration request; a function of generating anaccount collaboration request message by adding an account registrationinstruction to the acquired user attribute partial information as anoperation instruction and adding an account deletion instruction or anaccount invalidating instruction to the acquired deletion target accountas an operation instruction; a function of transmitting the accountcollaboration request message to a service provider device of atransmission source of the authentication collaboration request; afunction of transmitting an account collaboration response representingoperation completion when operation completion including the serviceprovider ID of the service provider device and the address informationof the user terminal in the user attribute partial information isnotified from a service provider device of a transmission destination ofthe account collaboration request message; a function of transmitting anauthentication collaboration execution request including the serviceprovider ID included in the operation completion in the transmittedaccount collaboration response and the user ID, and a function oftransmitting an authentication collaboration response including the userID in the authentication collaboration execution request to the serviceprovider device of the transmission source of the authenticationcollaboration request when the authentication collaboration executionrequest is received.